Five things to know about China-linked Juniper router attacks

Juniper Networks has released a fix for the Junos OS vulnerability that Mandiant researchers say has been exploited by a China-based espionage group

Juniper Networks has released a patch fixing a vulnerability - which has seen reported exploitation in China-linked espionage attacks - affecting Junos OS routers.

In an advisory, Juniper urged customers to implement the fixes and cited the report about “malicious exploitation” of the flaw (which is tracked at CVE-2025-21590).

CRN has reached out to Juniper for further comment.

What follows are five things to know about the China-linked Juniper router attacks.

Espionage campaign

In a post Wednesday, Mandiant researchers disclosed details on an espionage campaign by a “China-nexus” threat group targeting Juniper routers.

The campaign has come to include the latest attacks exploiting the newly discovered Junos OS vulnerability, according to the researchers at Google Cloud-owned Mandiant.

The researchers said in the post that they had initially discovered the threat actor exploiting Junos OS routers starting in mid-2024.

The attackers were found to have “deployed custom backdoors on Juniper Networks’ Junos OS routers,” the researchers wrote.

“Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886.”

“Highly adept” attackers

Mandiant had previously disclosed findings on UNC3886 in June 2024, including tactics around abuse of legitimate credentials.

The researchers said in the post Wednesday that the espionage group has shown a focus on “maintaining long-term access to victim networks” as well as a “deep understanding of the underlying technology of the appliances being targeted.”

Overall, UNC3886 is a “highly adept China-nexus cyber espionage group that has historically targeted network devices and virtualisation technologies with zero-day exploits,” the researchers wrote.

Targets have mainly included organisations in the defence, technology and telecommunication industries, both in US as well as Asia, according to the Mandiant researchers.

Vulnerability discovery

The medium-severity vulnerability in Junos OS (CVE-2025-21590) was discovered and reported by an Amazon security engineer, Matteo Memelli, according to Juniper.

The vulnerability “allows a local attacker with high privileges to compromise the integrity of the device,” Juniper said in its advisory.

In the Mandiant post, researchers disclosed that UNC3886 is known to have exploited the Junos OS vulnerability.

Patch released

In the advisory Wednesday, Juniper released emergency “out-of-cycle” security fixes in connection with the vulnerability.

“At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT,” the company said.

Customers are “encouraged to upgrade to a fixed release,” Juniper said.

“Active” exploitation confirmed

In an advisory Thursday, the US cybersecurity and infrastructure security agency (CISA) confirmed that the Junos OS vulnerability has seen exploitation in attacks.

CISA said it has added the flaw to its catalogue of exploited vulnerabilities, “based on evidence of active exploitation.”

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the agency said, adding that it “strongly urges all organisations to reduce their exposure to cyberattacks by prioritising timely remediation of catalogue vulnerabilities.”

This article originally appeared on CRN UK sister website CRN.